This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13
Configure Splunk for Windows to index your Windows Application, System, and Security event logs. Splunk for Windows can also monitor and index changes to your registry and accept WMI data input. This functionality is not yet exposed in Splunk Web or the CLI.
In addition to the information in this topic and the subsequent topics on Windows inputs, you can watch this step-by-step video that covers installing and configuring inputs for Splunk on Windows.
When you run the Splunk Windows installer, you are given the option to set up indexing and/or monitoring for the event logs, the registry, and for WMI. If you choose to do this, the default values for these settings are assumed. Once you have completed the installation, you can then make changes to the default values set by the installation process.
If you want to make changes to the default values, edit a copy of inputs.conf in $SPLUNK_HOME\etc\system\local\. You only have to provide values for the attributes you want to change within the stanza. For more information about how to work with Splunk configuration files, refer to How configuration files work.
At a high level, here're the basic steps to get data into Splunk on Windows. Use the more detailed information in this and the next topics in this manual to proceed:
1. Copy inputs.conf from $SPLUNK_HOME\etc\system\default to etc\system\local .
2. Un-mark it "Read Only".
3. Open and enable the Windows Event Log inputs.
4. Enable the Registry and WMI scripted inputs.
5. Copy wmi.conf from $SPLUNK_HOME\etc\system\default to etc\system\local .
6. Un-mark it "Read Only".
7. Enable local WMI polling.
8. Restart Splunk.
Windows event logs are from binary format *.evt files and cannot be monitored like a flat file. The settings for which event logs to index are in the following stanza in inputs.conf:
# Windows platform specific input processor. [WinEventLog:Application] disabled = 0 [WinEventLog:Security] disabled = 0 [WinEventLog:System] disabled = 0
You can configure Splunk to read non-default Windows event logs as well, but you must import them to the Windows Event Viewer first, and then add them to your local copy of inputs.conf, (usually in $SPLUNK_HOME\etc\system\local\inputs.conf) as follows:
[WinEventLog:DNS Server] disabled = 0 [WinEventLog:Directory Service] disabled = 0 [WinEventLog:File Replication Service] disabled = 0
To disable indexing for an event log, add disabled = 1 below its listing in the stanza in $SPLUNK_HOME\etc\system\local\inputs.conf.
The global settings for Windows registry monitoring are in the following stanza in inputs.conf:
[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.py] interval = 60 sourcetype = WinRegistry source = WinRegistry disabled = 0
Note: The Splunk registry input monitoring script (splunk-regmon.py) is configured as a scripted input. Do not change this value.
source: labels these events as coming from the registry.
sourcetype: assigns these events as registry events.
interval: specifies how frequently to poll the registry for changes, in seconds.
disabled: indicates whether the feature is enabled. Set this to 1 to disable this feature.
The Windows registry monitoring functionality uses two additional configuration files that are described in Windows registry input. You may wish to review that page before proceeding.
Note: You must use two backslashes \\ to escape wildcards in stanza names in inputs.conf. Regexes with backslashes in them are not currently supported when specifying paths to files.